NETASQ firewalls....
- Thread starter mrbios
- Start date
Soldato
- Joined
- 30 Dec 2004
- Posts
- 4,681
- Location
- Bromley, Kent
Agreed, an XTM330 sounds good. installed a couple of these recently and they would be a good enough choice. Definitely install WSC on another logging server though, it's very helpful rather than relying on local logs
- GP
- GP
Ah thanks!
Do either of you have any experience with the spam filtering capabilities of these?
We're also looking at possibly using forefront online protection for exchange as it's dirt cheap for schools, any experiences with that?
Do either of you have any experience with the spam filtering capabilities of these?
We're also looking at possibly using forefront online protection for exchange as it's dirt cheap for schools, any experiences with that?
Soldato
- Joined
- 30 Dec 2004
- Posts
- 4,681
- Location
- Bromley, Kent
Alas yes. It's all controlled by an external database managed by Watchguard - the feature key license covers this for the period that you're covered for. It's OK at what it does, no real complaints there, however it lacks control. You can define how the spam is handled (drop/quarantine/log/mark) and then users are emailed (usually daily) from your WSC server and they can review and release their own mail
- GP
- GP
Certainly an improvment on what we have now. So the emails the user get from the server to release mail, is the mail catagorized so that we can only allow spam that falls within a set severity to be released? I assume they don't get shown every single email that attempted to come in to their account, porn n all, that they can release?
Yeah I've used the 330 on a number of occasions, great devices. I always create a management host with the management software, logging service, weblocker services etc
Spam filtering is OK, nothing amazing
You didnt say you were a school though! Forget UTM on the firewalls and get a Lightspeed device. Designed for schools - you can do stuff like allow a teacher to open up youtube to their class for the duration of a lesson. It also has a lot of duty of care stuff, can monitor IM etc. Worth a look
You didnt say you were a school though! Forget UTM on the firewalls and get a Lightspeed device. Designed for schools - you can do stuff like allow a teacher to open up youtube to their class for the duration of a lesson. It also has a lot of duty of care stuff, can monitor IM etc. Worth a look
Woops thought i'd mentioned school in my OP, missed that out!
We'll be doing the web filtering completely seperately from the firewall and spam filters job, mainly because every time i look at a device to do all 3 tasks one aspect of it tends to be a bit ...... well ****!
Smoothwall are a good example of that, good web filter, bad firewall.Will be getting smoothwall, bloxx and lightspeed in to show off their web filtering. All nice school focussed systems
To be honest though I've not bothered to look at any of them for email filtering...
Last edited:
Soldato
- Joined
- 30 Dec 2004
- Posts
- 4,681
- Location
- Bromley, Kent
Well if you are looking to remove the UTM features form the device then you probably don't even need to consider anyhing like this? Go for an ASA or an SSG/SRX - or am I getting the wrong end of the stick? If web filtering is seperate then get a relay filtering service like Messagelabs and have it all external with only the VPN/Firewall service onsite
- GP
- GP
Woops thought i'd mentioned school in my OP, missed that out!
We'll be doing the web filtering completely seperately from the firewall and spam filters job, mainly because every time i look at a device to do all 3 tasks one aspect of it tends to be a bit ...... well ****!
Will be getting smoothwall, bloxx and lightspeed in to show off their web filtering. All nice school focussed systems
Bloxx devices are nice but not school focussed. Smoothwall I have no idea about
The thing with Lightspeed is its a complete solution for spam, internet, duty of care, IM filtering etc. A friend of mine is an IT manager in a school and got one last year - it's already picked up on some issues with the kids, meant someone could step in before someone got hurt...that makes it worth infinitely more than it's purchase price if you ask me
Do you want me to ask if he'll have a chat with you about it?
I agree that if you take UTM out the equation then an ASA or Juniper would be good, although I put XTM 5 series in at my friends school and they're doing a cracking job
Maybe I'm confusing what i need from my devices then? I didn't realise there was so much complexity to it all before i started looking at it (My jobs always been more focused on what goes on inside a network and other people have done the perimeter/outside setup)
I'll try and outline what i need and what i currently use:
Currently ....
Firewall - ISA2006 server used for publishing websites, exchange - smtp, owa etc, and various rules for other protocols required by the network be it in or out, nothing bespoke or out of the ordinary. So old and outdated, we want to replace this with something with active directory integration etc.
Mail filters - Two linux boxes running spamassassin - very old version of fedora running on them (CLI only) none of us are really that linux savvy so we don't do much with them. Here we want to replace these with something that's easier to manage and even gives the user something back such as the ability to release blocked mail.
Web Filtering - At the moment this is provided by the internet provider at their end, this is just a url only piece of junk
Internet connection - 30mb leased line
Here's what we're looking at for replacement:
Internet connection - 76Mbps FTTC 1:1 line (hell of a lot cheaper than a leased line!)
Web Filtering - Either bloxx, smoothwall or lightspeed
Mail filtering - After rethinking this part, perhaps one of the above web filtering options would be a good bet to package this with seeing as they all provide it?
Firewall - This is the part I'm stuck at, but I'm guessing i only need something more basic than previous information has suggested? That said we do want more control over security, simplicity of management and so on. School networks progress surprisingly fast (5 years ago we had about 250 PCs, now we have over 600 devices and things like ipads are becoming more and more prominent)
Is that helpful at all?
I'll try and outline what i need and what i currently use:
Currently ....
Firewall - ISA2006 server used for publishing websites, exchange - smtp, owa etc, and various rules for other protocols required by the network be it in or out, nothing bespoke or out of the ordinary. So old and outdated, we want to replace this with something with active directory integration etc.
Mail filters - Two linux boxes running spamassassin - very old version of fedora running on them (CLI only) none of us are really that linux savvy so we don't do much with them. Here we want to replace these with something that's easier to manage and even gives the user something back such as the ability to release blocked mail.
Web Filtering - At the moment this is provided by the internet provider at their end, this is just a url only piece of junk
Internet connection - 30mb leased line
Here's what we're looking at for replacement:
Internet connection - 76Mbps FTTC 1:1 line (hell of a lot cheaper than a leased line!)
Web Filtering - Either bloxx, smoothwall or lightspeed
Mail filtering - After rethinking this part, perhaps one of the above web filtering options would be a good bet to package this with seeing as they all provide it?
Firewall - This is the part I'm stuck at, but I'm guessing i only need something more basic than previous information has suggested? That said we do want more control over security, simplicity of management and so on. School networks progress surprisingly fast (5 years ago we had about 250 PCs, now we have over 600 devices and things like ipads are becoming more and more prominent)
Is that helpful at all?
Soldato
- Joined
- 30 Dec 2004
- Posts
- 4,681
- Location
- Bromley, Kent
If it was me then I would probably look at an ASA (5515x) and then move mail filtering and web filtering to Messagelabs (or iCritical but this isn't anywhere near as good, might be cheaper). That instantly removes half of your concerns, moves it to the cloud for resilient services (especially on an FTTC line).
Unfortunately what you need here is somebody to provide a proper consultation, it's moved a lot on form your initial query and an entire toolbox of spanners have been deposited into the works. If I were you I'd get a consultant in for a day, discuss your requirements and then depending on your skill-set internally, look at getting this professionally done (or learn on the job, depends on how flexible you are in this respect)
- GP
Unfortunately what you need here is somebody to provide a proper consultation, it's moved a lot on form your initial query and an entire toolbox of spanners have been deposited into the works. If I were you I'd get a consultant in for a day, discuss your requirements and then depending on your skill-set internally, look at getting this professionally done (or learn on the job, depends on how flexible you are in this respect)
- GP
That clears it up a bit
Your setup is remarkably similar in size and direction to my friend, interesting to see
Keep the ISA or upgrade it to Forefront TMG - it makes a great reverse proxy to sit in a DMZ
Spamassasin is junk TBH, someone implemented a similar setup here and it's utterly useless. My friend was running the Watchguard spam filter before he switched on that part of the lightspeed and it worked OK, the lightspeed is better though. If you want really decent web filtering, I'd personally look at something like Websense hosted mail security.
If you think of firewalls being in 2 camps - UTM/Application layer devices and basic stateful devices. The Fortinet, Netsack etc are in the former side - they will handle all your web filtering, spam, AV...everything. You can even allow Facebook but deny Farmville. But unless you spend big money, they can be jack of all trades master of none. Devices like the Cisco ASA, Juniper SRX are more basic rules based devices. Will give you the routing, VPN, DMZ, NAT etc that you need and be as robust as you will ever want.
So, what I would do
Internet connection - Great, but look at the SLA and possibly consider a backup of some sort - even just a basic ADSL maybe
Web filtering - Lightspeed or something similar. I'll guarantee bloxx isnt going to be anywhere near as cost effective in your sort of environment. Plus having an alert pop up to a teacher if kids are on MSN and suicide, eating disorders etc comes up is pretty invaluable.
Mail filtering - Given that it's part of the package with boxes like the lightspeed and some firewalls, see how it goes with those first. If they arent doing the job, Websense Hosted email.
Firewall - depends what you like really. Cisco ASA, Juniper SRX, Watchguard with the basic licensing... all good. Consider your throughput though - is it just internet connectivity? Will it ever be more? When I put the Watchguards in for my friend, they were dividing the school network so it had a secure area for teachers to access with RDP, but there are file/email servers either side of that so quite a bit of traffic going through the boxes potentially.
Your setup is remarkably similar in size and direction to my friend, interesting to see
Keep the ISA or upgrade it to Forefront TMG - it makes a great reverse proxy to sit in a DMZ
Spamassasin is junk TBH, someone implemented a similar setup here and it's utterly useless. My friend was running the Watchguard spam filter before he switched on that part of the lightspeed and it worked OK, the lightspeed is better though. If you want really decent web filtering, I'd personally look at something like Websense hosted mail security.
If you think of firewalls being in 2 camps - UTM/Application layer devices and basic stateful devices. The Fortinet, Netsack etc are in the former side - they will handle all your web filtering, spam, AV...everything. You can even allow Facebook but deny Farmville. But unless you spend big money, they can be jack of all trades master of none. Devices like the Cisco ASA, Juniper SRX are more basic rules based devices. Will give you the routing, VPN, DMZ, NAT etc that you need and be as robust as you will ever want.
So, what I would do
Internet connection - Great, but look at the SLA and possibly consider a backup of some sort - even just a basic ADSL maybe
Web filtering - Lightspeed or something similar. I'll guarantee bloxx isnt going to be anywhere near as cost effective in your sort of environment. Plus having an alert pop up to a teacher if kids are on MSN and suicide, eating disorders etc comes up is pretty invaluable.
Mail filtering - Given that it's part of the package with boxes like the lightspeed and some firewalls, see how it goes with those first. If they arent doing the job, Websense Hosted email.
Firewall - depends what you like really. Cisco ASA, Juniper SRX, Watchguard with the basic licensing... all good. Consider your throughput though - is it just internet connectivity? Will it ever be more? When I put the Watchguards in for my friend, they were dividing the school network so it had a secure area for teachers to access with RDP, but there are file/email servers either side of that so quite a bit of traffic going through the boxes potentially.
For the internet connection we have got a price for an ADSL backup which we'll probably get, although being FTTC if anything fails to take out the FTTC connection the backup one will probably die too but you never know 
I do like the sounds of what you're saying about lightspeed, I've got them coming some point during March to present their product to our management (will end up getting 3 companies in regardless as it's a council requirement for contract services)
As for firewalls..... am i confusing things when i say web filtering in the sense of something like lightspeed compared to web filtering in the sense of something such as application layer filtering? Is it one term sometimes used for two different reasons as I've got a bit confused in some areas i think.
We do have a home access system much like what your mate seems to have been implementing, whereby teachers can use RDP Remote app to use various applications on a terminal server, access files within their shares through a web browser and so on, surprisingly good system considering it's free and coded by a guy at a school in wales, take a look at this: hap.codeplex.com
So overall though I probably don't need any of the application layer firewall features i previously thought i might? Seeing as it's the one time we'll be doing this for the next X amount of years could it be a good idea to put one in anyway even if we don't use those features right away? (I honestly don't even know what features i could be thinking about here, i just want to make sure i get something that's going to cover growth)
Thank you for the help with all this by the way, I've been going in circles with it for a while, problem is I can never sit and focus on it. Such is the nature of school IT, jack of all trades, master of very few!
I do like the sounds of what you're saying about lightspeed, I've got them coming some point during March to present their product to our management (will end up getting 3 companies in regardless as it's a council requirement for contract services)
As for firewalls..... am i confusing things when i say web filtering in the sense of something like lightspeed compared to web filtering in the sense of something such as application layer filtering? Is it one term sometimes used for two different reasons as I've got a bit confused in some areas i think.
We do have a home access system much like what your mate seems to have been implementing, whereby teachers can use RDP Remote app to use various applications on a terminal server, access files within their shares through a web browser and so on, surprisingly good system considering it's free and coded by a guy at a school in wales, take a look at this: hap.codeplex.com
So overall though I probably don't need any of the application layer firewall features i previously thought i might? Seeing as it's the one time we'll be doing this for the next X amount of years could it be a good idea to put one in anyway even if we don't use those features right away? (I honestly don't even know what features i could be thinking about here, i just want to make sure i get something that's going to cover growth
) Thank you for the help with all this by the way, I've been going in circles with it for a while, problem is I can never sit and focus on it. Such is the nature of school IT, jack of all trades, master of very few!
Generally web filtering will either be application aware or not.
Basic web filtering would be "block Facebook.com" or "allow gambling sites but only to teachers". Application awareness takes that to the next level - allow Facebook but disallow games, except during lunch hours. Or, more relevant in a school, block Facebook,but understand what Facebook looks like so its blocked even through a proxy of some sort.
The network layout he's implemented is more about the internal network, by providing a secure walled garden for admin/teachers, the odds of pupils getting into secure files is almost nill. If you wanted something more advanced, Microsoft UAG does remote access rather well and academic pricing means its cheap as chips.
The only reason you'd want application awareness/web filtering on your firewall is in case your primary appliance fails, but its not worth worrying about too much. One thing I'm not sure if the light speed does is AV - being able to scan traffic as it passes through the firewall is a godsend in a school, means it doesn't even touch a disk before its blocked. Has a huge impact on performance though so make sure you get the throughput figure of the firewall with AV enabled if this is something you'd want to do.
Basic web filtering would be "block Facebook.com" or "allow gambling sites but only to teachers". Application awareness takes that to the next level - allow Facebook but disallow games, except during lunch hours. Or, more relevant in a school, block Facebook,but understand what Facebook looks like so its blocked even through a proxy of some sort.
The network layout he's implemented is more about the internal network, by providing a secure walled garden for admin/teachers, the odds of pupils getting into secure files is almost nill. If you wanted something more advanced, Microsoft UAG does remote access rather well and academic pricing means its cheap as chips.
The only reason you'd want application awareness/web filtering on your firewall is in case your primary appliance fails, but its not worth worrying about too much. One thing I'm not sure if the light speed does is AV - being able to scan traffic as it passes through the firewall is a godsend in a school, means it doesn't even touch a disk before its blocked. Has a huge impact on performance though so make sure you get the throughput figure of the firewall with AV enabled if this is something you'd want to do.
I assume your mate has his network setup so that teacher and admin PCs are on separate Vlans or something then? Seems to be more common that people are doing that recently. Years ago when all school networks were just flat networks they were all cabled so that there were two separate physical networks, it was a vile way of setting up a network, glad those days are over!
Anyway I think I've been given a much better understanding as to what it is i need to be looking for. Prior to this thread i've been hunting through various product pages and being wow'ed by fancy bold features that each can do, without fully understanding them. Definitely a hell of a lot more to it than i thought when i first started looking though!
Anyway I think I've been given a much better understanding as to what it is i need to be looking for. Prior to this thread i've been hunting through various product pages and being wow'ed by fancy bold features that each can do, without fully understanding them. Definitely a hell of a lot more to it than i thought when i first started looking though!
He's mostly terminal services so they RDP into terminal servers within the "walled garden". A few fat clients which are on the VLAN directly, but those are have port security on them to prevent tampering.
It's all too easy to get caught up in the marketing literature and think "ooh I'd really like feature x" but staying focussed on what you need is the important thing
It's all too easy to get caught up in the marketing literature and think "ooh I'd really like feature x" but staying focussed on what you need is the important thing